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Abstract — We consider the problem of elimination of existential 
quantifiers from a Boolean CNF formula. Our approach is based 
on the following observation. One can get rid of dependency 
on a set of variables of a quantified CNF formula F by 
adding resolvent clauses of F eliminating boundary points. This 
approach is similar to the method of quantifier elimination 
described in |9|. The difference of the method described in the 
present paper is twofold: 

• branching is performed only on quantified variables, 

• an explicit search for boundary points is performed by calls 
to a SAT-solver 

Although we published the paper |9| before this one, chrono- 
logically the method of the present report was developed first. 
Preliminary presentations of this method were made in 1 10], 1 11 1. 
We postponed a publication of this method due to preparation 
of a patent apphcation (8). 

I. Introduction 

In this paper, we are concerned with the problem of elim- 
ination of quantified variables from a Boolean CNF formula. 
(Since we consider only existential quantifiers, further on we 
omit the word "existential".) Namely, we solve the follow- 
ing problem: given a Boolean CNF formula 3X.F{X, Y), 
find a Boolean CNF formula F*(Y) such that F*{Y) = 
3X.F{X, Y). We will refer to this problem as QEP (Quantifier 
Elimination Problem). Since QEP is to find a formula, it 
is not a decision problem as opposed to the problem of 
solving a Quantified Boolean Formula (QBE). QEP occurs in 
numerous areas of hardware/software design and verification, 
model checking |4|, [18] being one of the most prominent 
applications of QEP. 

A straightforward method of solving QEP for CNF formula 
3X.F{X, Y) is to eliminate the variables of X one by one, 
in the way it is done in the DP procedure [5|. To delete a 
variable Xi of X, the DP procedure produces all possible 
resolvents on variable Xi and adds them to F. An obvious 
drawback of such a method is that it generates a prohibitively 
large number of clauses. Another set of QEP-solvers employ 
the idea of enumerating satisfying assignments of formula 
F{X, Y). Here is how a typical method of this kind works. 
First, a CNF formula F^{Y) is built such that each clause 
C of F^ (called a blocking clause |17|) eliminates a set 
of assignments satisfying F{X,Y). By negating one 
obtains a CNF formula F*{Y) that is a solution to QEP. 



Unfortunately, F+ may be exponentially larger than F*. 
This occurs, for instance, when F ) = Fi {Xi , Yi ) A . . . A 
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when F is the conjunction of independent CNF formulas Fi. 
In this case, one can build F*{Y) as F* A ... A F^, where 
F*{Yi) = 3Xi.Fi{X„Yi),i = 1, . . . , fc. So the size of F* is 
linear in k whereas that of F+ is exponential in k. This fact 
implies that QEP-solvers based on enumeration of satisfying 
assignments are not compositional. (We say that a QEP-solver 
is compositional if it reduces the problem of finding F*{Y) to 
k independent subproblems of finding F*{Yi),i — 1, . . . , fc.) 
Note that in practical applications, it is very important for a 
QEP-solver to be compositional. Even if F does not break 
down into independent subformulas, there may be numerous 
branches of the search tree where such subformulas appear 

Both kinds of QEP-solvers mentioned above have the same 
drawback. A resolution-based QEP-solver can only efficiently 
check if a clause C of F*{Y) is correct i.e. whether it is 
implied by F{X^ Y). But how does one know if F* contains 
a sufficient set of correct clauses i.e. whether every assignment 
y satisfying F* can be extended to {x,y) satisfying Fl A non- 
deterministic algorithm does not have to answer this question. 
Once a sufficient set of clauses is derived, an oracle stops this 
algorithm. But a deterministic algorithm has no oracle and so 
has to decide for itself when it is the right time to terminate. 
One way to guarantee the correctness of termination is to 
enumerate the satisfying assignments of F. The problem here 
is that then, the size of a deterministic derivation of F* may 
be exponentially larger than that of a non-deterministic one. 
(Non-compositionality of QEP-solvers based on enumeration 
of satisfying assignments is just a special case of this problem.) 

In this paper, we introduce a new termination condition 
for QEP that is based on the notion of boundary points. A 
complete assignment p falsifying F{X, Y) is an X'-boundary 
point where X' <Z X \f a) every clause of F falsified by p has 
a variable of X' and b) first condition breaks for every proper 
subset of X' . An X'-boundary point p is called removable 
if no satisfying assignment of F can be obtained from p 
by changing values of variables of X. One can eliminate a 
removable X'-boundary point by adding to F a clause C that 
is implied by F and does not have a variable of X' . If for a 
set of variables X" where X" C X, formula F{X, Y) does 



not have a removable X'-boundary point where X' C X" , 
the variables of X" are redundant in formula 3X.F{X^Y). 
This means that every clause with a variable of X" can be 
removed from F{X,Y). QEP-solving terminates when the 
current formula F{X^ Y) (consisting of the initial clauses 
and resolvents) has no removable boundary points. A solution 
F*{Y) to QEP is formed from F{X,Y) by discarding every 
clause that has a variable of X. 

The new termination condition allows one to address draw- 
backs of the QEP-solvers mentioned above. In contrast to the 
DP procedure, only resolvents eliminating a boundary point 
need to be added. This dramatically reduces the number of 
resolvents one has to generate. On the other hand, a solution 
F* can be derived directly without enumerating satisfying 
assignments of F. In particular, using the new termination 
condition makes a QEP-solver compositional. 

To record the fact that all boundary removable points have 
been removed from a subspace of the search space, we 
introduce the notion of a dependency sequent (D-sequent for 
short). Given a CNF formula F{X,Y), a D-sequent has the 
form {F,X',q) X" where q is a partial assignment to 
vai-iables of X, X' C X, X" C X. Let Fq denote formula 
F after assignments q are made. We say that the D-sequent 
above holds if 

• the variables of X' are redundant in Fq, 

• the variables of X" are redundant in the formula obtained 
from Fq by discarding every clause containing a variable 
of X'. 

The fact that the variables of X' (respectively X") are redun- 
dant in F means that F has no removable X* -boundary point 
where X* C X' (respectively X* C X"). The reason for us- 
ing name "D-sequent" is that the validity of {F, X' ,q) — > X" 
suggests interdependency of variables of q, X' and X" . 

In a sense, the notion of a D-sequent generalizes that 
of an implicate of formula Y). Suppose, for instance, 

that F ^ C where C — xi y X2, xi <^ X, X2 ^ X. 
After adding C to F, the D-sequent {F, 0, q) X' where 
q={xi = 0, X2 — 0), X' = X \ {xi, X2} becomes true. (An 
assignment falsifying C makes the unassigned variables of F 
redundant.) But the opposite is not true. The D-sequent above 
may hold even if F — C does not. (The latter means that q 
can be extended to an assignment satisfying F). 

We will refer to the method of QEP-solving based on elimi- 
nation of boundary points as DDS (Derivation of D-Sequents). 
We will refer to the QEP-solver based on the DDS method we 
describe in this paper as DDS_impl (DDS implementation). 
To reflect the progress in elimination of boundary points 
of F, DDS_impl uses resolution of D-sequents. Suppose D- 
sequents (i^, 0,qi) ^ {xio} and (F, 0, <72) -> {a;io} have 
been derived where <7i=(a:i =0, X3 — 0) and q2={xi — 1, 
X4 = 0). Then a new D-sequent {F, 0, q) {xiq} where 
q = {x3 = 0, X4 = 0) can be produced from them by resolution 
on variable xi. DDS_impl terminates as soon as D-sequent 
(F, 0, 0) X is derived, which means that the variables of 
X are redundant in F (because every removable X'-boundary 



point where X' C_ X has been eliminated from F due to 
adding resolvent-clauses). 

Our contribution is threefold. First, we formulate a new 
method of quantifier elimination based on the notion of X- 
removable boundary points which are a generalization of those 
introduced in [14J. One of the advantages of this method is 
that it uses a new termination condition. Second, we introduce 
the notion of D-sequents and the operation of resolution of D- 
sequents. The calculus of D-sequents is meant for building 
QEP-solvers based on the semantics of boundary point elimi- 
nation. Third, we describe a QEP-solver called DDS_impl and 
prove its compositionality. We show that in contrast to a BDD- 
based QEP-solver that is compositional only for particular 
variable orderings, DDS_impl is compositional regardless of 
how branching variables are chosen. We give preliminary 
experimental results that show the promise of DDS. 

This paper is structured as follows. In Section |II] we 
define the notions related to boundary points. The relation 
between boundary points and QEP is discussed in Section |lll] 
Section |IV] describes how adding/removing clauses affects 
the set of boundary points of a formula. D-sequents are 
introduced in Section |V] Section [VT] describes DDS_impl. The 
compositionality of DDS_impl is discussed in Section IVIII 
Section [Villi describes experimental results. Some background 
in given in Section IIXI Section |X] summarizes this paper 

II. Basic Definitions 

Notation: Let F be a CNF formula and C be a clause. 
We denote by Vars{F) (respectively Vars{C)) the set of 
variables of F (respectively of C). If q is a partial assignment 
to Vars{F), Vars{q) denotes the variables assigned in q. 

Notation: In this paper, we consider a quantified CNF for- 
mula 3X.F{X,Y) where X\JY ^ Vars{F) and XnF = 0. 

Definition 1: A CNF formula F*{Y) is a solution to 
the Quantifier Elimination Problem (QEP) if F*{Y) = 
3X.F{X, Y). 

Definition 2: Given a CNF formula G{Z), a complete as- 
signment to the variables of Z is called a point. 

Definition 3: Let G{Z) be a CNF formula and Z' C Z. A 
clause C of G is called a Z'-clause if Vars{C) HZ' ^ %. 
Otherwise, C is cafled a non-Z'-clause. 

Definition 4: Let G{Z) be a CNF formula and Z' C Z. A 
point p is called a Z'-boundary point of G if G{p) = and 

1) Every clause of G falsified by p is a Z'-clause. 

2) Condition [T] breaks for every proper subset of Z'. 

A Z'-boundary point p is at least |Z'| flips away from a point 
p*, G{p*) = 1 (if p* exists and only variables of Z' are 
allowed to be changed), hence the name "boundary". 

Let p be a Z'-boundary point of G(Z) where Z' = {z}. 
Then every clause of G falsified by p contains variable z. This 
special class of boundary points was introduced in ifTSI . lfT4l . 

Definition 5: Point p is called a Z'-removable boundary 
point of G(Z) where Z' C Z if p is a Z"-boundary point 
where Z" C Z' and there is a clause C such that 

• p falsifies G; 



• C is a non-Z'-clause; 

• C is implied by the conjunction of Z'-clauses of G. 
Adding clause C to G eliminates p as a ^''-boundary point 
{p falsifies clause C and C has no variables of Z"). 

Proposition 1: Point p is a Z'-removable boundary point 
of a CNF formula G{Z) iff no point p* obtained from p by 
changing values of (some) variables of Z' satisfies G. 

The proofs are given in the Appendix. 

Example 1: Let CNF formula G consist of four clauses: 
Ci = V Z2, ^2 = 23 V Z4, C3 = zT V Z5, C4 = V Z5. 
Let p={zi — 0,Z2~ 0, Z3 — 0,Z4 — 0, Z5 = 0). Point p falsifies 
only Ci and C2. Since both Ci and C2 contain a variable of 
Z" = {zi, Z3}, p is a ^''-boundary point. (Note that p is also, 
for instance, a {z2, Z4}-boundary point.) Let us check if point 
p is a Z'-removable boundary point where Z' = {zi, Z3, Z5}. 
One condition of Definition |5] is met: p is a ^''-boundary 
point, Z" C Z'. However, the point p* obtained from p by 
flipping the values of 21,23,25 satisfies G. So, according to 
Proposition [T] p is not a Z'-removable boundary point (i.e. 
the clause C of Definition |5] does not exist for p). 

Definition 6: We will say that a boundary point p of 
F(X, Y) is just removable if it is X-removable. 

Remark 1: Informally, a boundary point p of F{X,Y) is 
removable only if there exists a clause G implied by F and 
falsified by p such fliat Vars{C) C Y. The fact that an X"- 
boundary point p is not X'-removable (where X" C X') also 
means that p is not removable. The opposite is not true. 

III. X-BouNDARY Points and Quantifier 
Elimination 

In this section, we relate QEP-solving and boundary points. 
First we define the notion of redundant variables in the context 
of boundary point elimination (Definition |7]l. Then we show 
that monotone variables are redundant (Proposition |2). Then 
we prove that clauses containing variables of X', X' C X 
can be removed from formula 3X.F{X, Y) if and only if the 
variables of X' are redundant in F (Proposition [3]l. 

Definition 7: Let F{X, Y) be a CNF formula and X' C X. 
We will say that the variables of X' are redundant in F if 
has no removable X" -boundary point where X" C X. 

Proposition 2: Let G{Z) be a CNF formula and 2 be a 
monotone variable of F. (That is clauses of G contain the 
literal of 2 of only one polarity.) Then 2 is redundant in G. 

Definition 8: Let F{X, Y) be a CNF formula. Denote by 
Dis(F, X') where X' C X the CNF formula obtained from 
F{X, Y) by discarding all X'-clauses. 

Proposition 3: Let F{X, Y) be a CNF formula and X' be 
a subset of X. Then 3X.F{X,Y) = 3{X \ X').Dis{F, X') 
iff the variables of X' are redundant in F. 

Corollary 1: Let F{X,Y) be a CNF formula. Let 
F*{Y) = Dis{F,X). Then F*[Y) = 3X.F{X,Y) holds iff 
the variables of X are redundant in F. 

IV. Appearance of Boundary Points When 
Adding/Removing Clauses 
In this section, we give two theorems later used in Proposi- 
tion [8] (about D-sequents built by DDS_impl). They describe 



the type of clauses one can add to (or remove from) G{Z) 
without creating a new {2}-removable boundary point where 

ze z. 

Proposition 4: Let G{Z) be a CNF formula. Let G have 
no {2}-removable boundary points. Let C be a clause. Then 
the formula GAG does not have a {2}-removable bound- 
ary point if at least one of the following conditions hold: 
a) G is implied by G; b) 2 ^ Vars{G). 

Proposition 5: Let G{Z) be a CNF formula. Let G have 
no {2}-removable boundary points. Let G be a {zj-clause of 
G. Then the CNF formula G' where G' = G \ {G} does not 
have a {2}-removable boundary point. 

Remark 2: According to Propositions |4] and |5] adding 
clause G to a CNF formula G or removing G from G may 
produce a new {2}-removable boundary point only if: 

• one adds to G a {2}-clause G that is not implied by G or 

• one removes from G a clause G that is not a {2}-clause. 

V. Dependency Sequents (D-sequents) 
A. General Definitions and Properties 

In this subsection, we introduce D-sequents (Definition [TOb 
and resolution of D-sequents (Definition [T2l l. Proposition |6] 
states that a D-sequent remains true if resolvent-clauses are 
added to F. The soundness of resolving D-sequents is shown 
in Proposition I2] 

Definition 9: Let F be a CNF formula and q be a partial 
assignment to Vars{F). Denote by Fq the CNF formula 
obtained from F by 

• removing the literals of (unsatisfied) clauses of F that 
are set to by q, 

• removing the clauses of F satisfied by q. 

Definition 10: Let F{X, Y) be a CNF formula. Let q be a 
partial assignment to variables of X and X' and X" be subsets 
of X such that Vars{q), X' , X" do not overlap. A dependency 
sequent (D-sequent) S has the form {F,X',q) — > X". We 
will say that S holds if 

• the variables of X' are redundant in Fg (see Definition|9l), 

• the variables of X" are redundant in Dis{Fq, X') (see 
Definition [8]l. 

Example 2: Let CNF formula F{X,Y) where X = 
{xi,X2}, Y = {2/1,2/2} consist of two clauses: Gi = xi V yi 
and G2 = ^1 V 2:2 V 2/2- Note that variable X2 is monotone 
and hence redundant in F (due to Proposition |2]i. After 
discarding the clause G2 (containing the redundant variable 
X2), variable xi becomes redundant. Hence, the D-sequent 
(F,{x2},0) ^ {xi} holds. 

Proposition 6: Let F+ {X, Y) be a CNF formula obtained 
from F{X,Y) by adding some resolvents of clauses of F. 
Let q be a partial assignment to variables of X and X' C X. 
Then the fact that D-sequent {F, X' ,q) — > X" holds implies 
that {F^ ,X', q) ~^ X" holds too. The opposite is not true. 

Definition 11: Let F{X,Y) be a CNF fomula and q', q" 
be partial assignments to X. Let Vars{q') n Vars{q") contain 
exactly one variable x for which q' and q" have the opposite 
values. Then the partial assignment q such that 



• Vars{q) = i{Vars{q') U Vars{q")) \ {x}, 

• the value of each variable x* of Vars{q) is equal to that 
of X* in Vars{q') U Vars{q"). 

is denoted as Res(q',q",x) and called the resolvent of q',q" 
on X. Assignments q' and q" are called resolvable on x. 

Proposition 7: Let F{X, Y) be a CNF formula. Let D- 
sequents 5*1 and 5*2 be equal to {F,Xi,qi) X' and 
{F,X2,q-i) X' respectively. Let qi and 92 be resolv- 
able on variable x. Denote by q the partial assignment 
Res(qi,q2,x) and by X* the set Xi ("1X2. Then, if and ^2 
hold, the D-sequent S equal to {F, X* , q) X' holds too. 

Definition 12: We will say that the D-sequent S of Propo- 
sition I2] is produced by resolving D-sequents Sx and S-2 on 
variable x. S is called the resolvent of 5*1 and 5*2 on x. 

B. Derivation of D-sequents in DDS_impl 

In this subsection, we discuss generation of D-sequents in 
DDSJmpl (see Section lVTb . DDS_impl builds a search tree by 
branching on variables of X of F{X,Y). 

Definition 13: Let qi and q2 be partial assignments to 
variables of X. We will denote by qi < q2 the fact that 
a) Vars(qi) C Vars{q2) and b) every variable of Vars{qi) 
is assigned in qi exactly as in 92- 

Let q be the current partial assignment to variables of X 
and Xred be the unassigned variables proved redundant in Fg. 
DDS_impl generates a new D-sequent a) by resolving two 
existing D-sequents or b) if one of the conditions below is 
true. 

1) A (locally) empty clause appears in Dis{Fq, Xred)- 
Suppose, for example, that F contains clause C ~ xi W 

V X7. Assume that assignments (a;i = 0,X5 = 1) are 
made turning C into the unit clause Xf. Assignment 2:7 = 
makes C an empty clause and so eliminates all boundary 
points of Dis{Fq, Xred)- So DDS_impl builds D-sequent 
{F, 0, g) X' where g = (xi = 0, X5 = 1, = 0) and X' is 
the set of unassigned variables of Dis{Fq, Xred) that are not 

in Xred- 

2) Dis{Fq, Xred) has only one variable x of X that is not 
assigned and is not redundant. In this case, DDS_impl makes x 
redundant by adding resolvents on variable x and then builds 
D-sequent {F,X'^^^,g) {x} where X'^^^ C Xred, 9 < q 
and X'^^^ and g are defined in Proposition |8] below (see also 
Remark |3]l. 

3) A monotone variable x appears in formula 
Dis{Fq, Xred)- Then DDS_impl builds D-sequent 
{F,Xl^^,g) {x} where X;^^ C Xred, g < q and 
X'^^^ and g are defined in Proposition |8] (see Remark |4). 

Proposition [H] and Remark |3] below explain how to pick 
a subset of assignments of the current partial assignment q 
responsible for the fact that a variable x is redundant in 
branch q. This is similar to picking a subset of assignments 
responsible for a conflict in SAT-solving. 

Proposition 8: Let F{X, Y) be a CNF formula and q be a 
partial assignment to variables of X. Let Xred be the variables 
proved redundant in Fq. Let x be the only variable of X that 
is not in Vars{q) U Xred- Let D-sequent (F, Xred, q) {x} 



hold. Then D-sequent {F, Xl^^,g) — > {x} holds where g and 
X'^^^ are defined as follows. Partial assignment g to variables 
of X satisfies the two conditions below (implying that g < q): 

1) Let C be a {x}-clause of F that is not in Dis{Fq, Xred)- 
Then either 

• g contains an assignment satisfying C or 

• D-sequent {F,X*^j^,g*) {x*} holds where 

g* < g, Ked C ^red, X* G [Xred H Vars{C)). 

2) Let pi be a point such that q < pi- Let pi falsify a 
clause of F with literal x. Let p2 be obtained from pi 
by flipping the value of x and falsify a clause of F with 
literal x. Then there is a non-{a;}-clause C of falsified 
by pi and p2 such that ( Vars(C) n X) C Vars{g). 

The set X'^^^ consists of all the variables already proved 
redundant in Fg. That is every redundant variable x* of Xred 
witii D-sequent {F,X*^^,g*) {x*} such fliat g* < g, 

x;^^ c Xred is in x;^^. 

Remark 3: When backtracking (and making new assign- 
ments) formula Dis{Fq, Xred) changes. Partial assignment g 
is formed so as to prevent the changes that may produce new 
{xj-boundary points. According to Remark |2] this may occur 
only in two cases. 

The first case is adding an {xj-clause C to Dis{Fq, Xred)- 
This may happen after backtracking if C was satisfied or 
contained a redundant variable. Condition [T] of Proposition [8] 
makes g contain assignments that prevent C from appearing. 

The second case is removing a non-{a;}-clause C from 
Dis {Fq , X red) - This may happen if C contains a literal falsi- 
fied by an assignment in q and then this assignment is flipped. 
Condition |2] of Proposition [8] makes g contain assignments 
guaranteeing that a "mandatory" set of clauses preventing 
appearance of new {xj-boundary points is present when D- 
sequent {F,X'^^^,g) — >• {x} is used. 

Remark 4: If x is monotone. Condition |2] of Proposition |8] 
is vacuously true because pi or p2 does not exist. So one can 
drop the requirement of Proposition |8] about x being the only 
variable of X that is not in Vars{q) U Xred- (It is used only 
when proving that the contribution of non-{a;}-clauses into 
g specified by Condition |2] is correct. But if x is monotone 
non-{a:}-clauses are not used when forming g.) 

C. Notation Simplification for D-sequents of DDS_impl 

In the description of DDS_impl we will use the notation 
g -> X" instead of {F,X',g) X" . We do this for two 
reasons. First, according to Proposition |6] in any D-sequent 

{Pearlier, X',g) — > X", One Can replace FearUer with 

^current 

where the latter is obtained from the former by adding some 
resolvent-clauses. Second, whenever DDS_impl derives a new 
D-sequent, X' is the set Xred of all unassigned variables of 
Fq akeady proved redundant. So when we say that g — > X" 
holds we mean that {F,X',g) X" does where F is the 
current formula (i.e. the latest version of F) and X' is Xred- 



VI. Description OF DD5_/m/?/ 

A. Search tree 

DDS_impl branches on variables of X of F{X, Y) building 
a search tree. The current path of the search tree is specified by 
partial assignment q. DDS_impl does not branch on variables 
proved redundant for current q. Backtracking to the root of the 
search tree means derivation of D-sequent ^ X (here we 
use the simplified notation of D-sequents, see Subsection lV-Q . 
At this point, DDS_impl terminates. We will denote the last 
variable assigned in q as Last(q). 

Let a; be a branching variable. DDS_impl maintains the 
notion of left and right branches corresponding to the first 
and second assignment to x respectively. (In the modern SAT- 
solvers, the second assignment to a branching variable x is 
implied by a clause C derived in the left branch of x where 
C is empty in the left branch. A QEP-solver usually deals 
with satisfiable formulas. If the left branch of x contains a 
satisfying assignment, clause C above does not exist.) 

Although DDS_impl distinguishes between decision and 
implied assignments (and employs BCP procedure), no notion 
of decision levels is used. When an assignment (decision or 
implied) is made to a variable, the depth of the current path 
increases by one and a new node of the search tree is created 
at the new depth. The current version of DDS_impl maintains 
a single search tree (no restarts are used). 

B. Leaf Condition, Active D-sequents, Branch Flipping 

Every assignment made by DDSJmpl is added to q. The 
formula DDS_impl operates on is Dis{Fq, Xred)- When a 
monotone variable x appears in Dis{Fq, Xred), it is added 
to the set Xred of redundant variables of Fg and the {x}- 
clauses are removed from Dis{Fq, Xred)- For every variable 
x' of Xred there is one D-sequent g {x'} where g < q. 
We will call such a D-sequent active. (Partial assignment g is 
in general different for different variables of Xred-) Let D^^^ 
denote the current set of active D-sequents. 

DDS_impl keeps adding assignments to q until every vari- 
able of F is either assigned (i.e. in Vars{q)) or redundant (i.e. 
in Xred)- We will refer to this situation as the leaf condition. 
The appearance of an empty clause in Dis{Fq, Xred) is one 
of the cases where the leaf condition holds. 

If DDS_impl is in the left branch of x (where x = Last{q)) 
when the leaf condition occurs, DDS_impl starts the right 
branch by flipping the value of x. For every variable x' of 
Xred, DDS_impl checks if g of D-sequent g —5- {x'} contains 
an assignment to x. If it does, then this D-sequent is not true 
any more. Variable x' is removed from Xred and g {x'} is 
removed from and added to the set Dl""''^^ of inactive D- 
sequents. Every {x'j-clause C discarded from Dis{Fq, Xred) 
due to redundancy of x' is recovered (unless C contains a 
variable that is still in Xred)- 

C. Merging Results of Left and Right Branches 

If DDS_impl is in the right branch of x (where x = Last{q)) 
when the leaf condition occurs, then DDS_impl does the 



following. First DDS_impl unassigns x. Then DDS_impl ex- 
amines the list of variables removed from Xred after flipping 
the value of x. Let x' be such a variable and Sieft and 
Sright be the D-sequents of x' that were active in the left 
and right branch respectively. (Currently Sie/t is in -D™^*^* ). 
If Bright does not depend on x, then Sieft is just removed 
from -D]™^* and Sright remains in the set of active D-sequents 
^seq ■ Otherwise, Sieft is resolved with Sright on x. Then Sieft 
and Sright are removed from -D]™'^* and D^^^ respectively, 
and the resolvent is added to D^^^ and becomes a new active 
D-sequent of x' . 

Then DDS_impl makes variable x itself redundant. (At 
this point every variable of X but x is either assigned 
or redundant.) To this end, DDSJmpl eliminates aU {x}- 
removable boundary points from Dis{Fq, Xred) by adding 
some resolvents on variable x. This is done as follows. First, 
a CNF H is formed from Dis{Fq, Xred) by removing all the 
{x}-clauses and adding a set of "directing" clauses Hdir- The 
latter is satisfied by an assignment p iff at least one clause C" 
of Dis{Fq, Xred) with literal x and one clause C" with literal 
X is falsified by p. (How Hdir is built is described in [12J.) 
The satisfiability of H is checked by calling a SAT-solver. If 
H is satisfied by an assignment p, then the latter is an {x}- 
removable boundary point of Dis{Fq, Xred)- It is eliminated 
by adding a resolvent C on x to Dis{Fq, Xred)- (Clause C is 
also added to H). Otherwise, the SAT-solver returns a proof 
Proof that H is unsatisfiable. 

Finally, a D-sequent g — > {x'} is generated satisfying the 
conditions of Proposition [8] To make g satisfy the second 
condition of Proposition |8] DDS_impl uses Proof above. 
Namely, every assignment falsifying a literal of a clause of 
Dis{Fq, Xred) uscd in Proof is included in g. 

D. Pseudocode of DDS_impl 

The main loop of DDS_impl is shown in Figure [T| 
DDS_impl can be in one of the six states listed in Fig- 
ure [T] DDS_impl terminates when it reaches the state Finish. 
Otherwise, DDS_impl calls the procedure corresponding to 
the current state. This procedure performs some actions and 
returns the next state of DDS_impl. 

DDS_impl starts in the BCP state in which it runs the bcp 
procedure (Figure |3). Let C be a unit clause of Dis{Fq, Xred) 
where Vars{C) C X. As we mentioned in Subsection IV-BI 
DDSJmpl adds D-sequent g X" to D^^:^ where X" ^ 
X \ {Vars{q) U Xred) and g is the minimal assignment 
falsifying C. This D-sequent corresponds to the (left) branch 
of the search tree. In this branch, the only literal of C is 
falsified, which makes the leaf condition true. 

If a conflict occurs during BCP, DDSJmpl switches to the 
state Conflict and calls a procedure that generates a conflict 
clause Ccnfl (Figure|5]l. Then DDSJmpl backtracks to the first 
node of the search tree at which Ccnfl becomes unit. 

If BCP does not lead to a conflict, DDSJmpl switches to the 
state Decision JAaking and calls a decision making procedure 
(Figure |2]i. This procedure first looks for monotone variables. 
{Xmon of Figure |2]denotes the set of new monotone variables.) 



If after processing monotone variables every unassigned vari- 
able is redundant DDS_impl switches to the Backtracking state 
(and calls the backtrack procedure, see Figure |6). Otherwise, 
a new assignment is made and added to q. 

If DDS_impl backtracks to the right branch of x (where 
X may be an implied or a decision variable), it switches to 
the state BPE (Boundary Point Elimination) and calls the bpe 
procedure (Figure |4). This procedure merges results of left and 
right branches as described in Subsection IVI-CI 

E. Example 

Example 3: Let F{X, Y) consist of clauses: Ci = xi V t/i, 
C2 = V X2 V 1/2, C3 = xi W X2 V y^. Let us consider how 
DDSJmpl builds formula F*{Y) equivalent to 3X.F{X, Y). 
Originally, q, Xred, D^^^ , Df^^'^^ are empty. Since F does 
not have a unit clause, DDS_impl switches to the state Deci- 
sion_Makmg. Suppose DDS_impl picks xi for branching and 
first makes assignment xi = 0. At this point, q = (xi — 0), 
clause C2 is satisfied and Fq = yi A {x2 ^/Vs)- 

Before making next decision, DDS_impl processes the 
monotone variable X2- First the D-sequent g — > {X2} is de- 
rived and added to D^^^ where g — (xi — 0). (The appearance 
of the assignment (xi = 0) in g is due to Proposition |8] 
According to Condition [T] g has to contain assignments that 
keep satisfied or redundant the {X2}- clauses that are not 
currently in Fq. The only {x2}-clause that is not in Fq is 
C2. It is satisfied by (xi = 0).) Variable X2 is added to Xred 
and clause X2 ^y^ is removed from Fq as containing redundant 
variable X2- So Dis{Fq, Xred) = J/i- 

Since X has no variables to branch on (the leaf condition), 
DDS_impl backtracks to the last assignment xi =0 and starts 
the right branch of xi. So q = [xi — l). Since the D-sequent 
(xi —Q)^ {^2} is not valid now, it is moved from D^^^ to 
Df^^^^. Since X2 is not redundant anymore it is removed from 
Xred and the clause C2 is recovered in Fq which is currently 
equal to X2 V y2 (because Ci and C3 are satisfied by q). 

Since X2 is monotone again, D-sequent (xi = 1) {2^2 } 
is derived, X2 is added to Xred and C2 is removed from Fq. 
So Dis{Fq, Xred) = 0- At this point DDSJmpl backtracks 
to the right branch of xi and switches to the state BPE. 

In the BPE state, xi is unassigned. Ci satisfied by as- 
signment xi = 1 is recovered. C2 and C3 (removed due 
to redundancy of X2) are not recovered. The reason is that 
redundancy of X2 has been proved in both branches of xi. So 
X2 stays redundant due to generation of D-sequent — > {x2 } 
obtained by resolving D-sequents (xi = 0) — > {X2] and 
(xi = 1) — > {X2} on xi. So Dis(Fq, Xred) — Ci. D-sequent 
— > {X2} replaces (xi = 1) — > {X2} in Df^j^. D-sequent 
(xi = 0) ^ {X2} is removed from -D™^*. 

Then DDS_impl is supposed to make xi redundant by 
adding resolvents on xi that eliminate {xi}-removable 
boundary points of Dis{Fq, Xred)- Since xi is monotone 
in Dis{Fq,Xred) it is already redundant. So D-sequent 
— > {xi} is derived and xi is added to Xred- Since q is cur- 
rently empty, DDS_impl terminates returning an empty set of 
clauses as a CNF formula F*{Y) equivalent to 3X.F{X, Y). 



II Given F), DDSJmpl returns F*{Y) 

II such that F*{Y) = 3X.F{X,Y) 

II q is a partial assignment to vars of X 

II States of DDSJmpl are Finish, BCP, BPE, 

II Decision J^aking, Conflict, Backtracking 

DDSJmpl (F, X, Y) 
{while (True) 

if (state == Finish) 
Khim(Dis(F, X)); 
if (state == Non_Finish_State) 
{state = state _procedure(q,other _params); 
continue;}} 

Fig. 1. Main loop of DDS_impl 

decision_making(q, F, X, Xred, Dgeq ) 
{(Xmon,F)^^* (Xjnon)) ^ find_monot_vars{F, X); 

T)act T^act [ V \ I I T)act ( v \. 

^seq ^seq K^red) ^ ^ seq \^mon), 

-^red — -^red ^ -^mon, 

if (X Xred U Vars{q)) 

if (Vars{q) —— 0) Tetmn(Finishy, 
else Tetnm(Backtrackingy, 

F = Dis{F,X^on); 
assgn{x) pick_assgn{F, X); 
q' = qU assgn{x); 
return(BCP);} 

Fig. 2. Pseudocode of the decision_makmg procedure 

Proposition 9: DDSJmpl is sound and complete. 

VII. COMPOSITIONALITY OF DDSJmpl 

Let F{X,Y) =. F^iX^Yi) A ... A Fk{Xk,Yk) where 
{Xi UYi) n {Xj U Yj) = i ^ j. As we mentioned in the 
introduction, the formula F*(Y) equivalent to 3X.F{X,Y) 
can be built as F^* A ... A F* where F* {Y,) = 3X,.Fi{X,,Yi). 

We will say that a QEP-solver is compositional if it reduces 
the problem of finding F* to k independent subproblems of 

bcp(q, F, Cunsat) 

{{answer, F, q, Cunsat, D^^* ) ^ run_bcp{q, F); 
if (answer == unsat_clause) xe.t\xm(Conflict); 
else retmn(DecisionJ/[aking);} 

Fig. 3. Pseudocode of the hep procedure 

bpe(q,F,Xred,Df^^ , D™-* ) 
{x = Last(q); 

{q, F) <— unassign{q, F, x); 

{F, Proof) elimJ)nd_pnts{F,x); 

optimize ( Proof ) ; 

(D^e^q ,D^q'' ) ^ resolve{D-f^ , ,x); 
^seq {{^}) = gen_Dsequent{q, Proof ); 

Dseq = Dseq (Xred) U 7?^* ({x}); 
Xred — Xred U {x}; 

F = Dis{F,{x}); 

if (Vars{q) —— 0) Tetum(Finishy, 

else Tetmn(Backtrackingy,} 

Fig. 4. Pseudocode of the bpe procedure 



cnfljjrocessingiq, F, Cunsat) 
{{q,F,Cc„fl) <- gen_cnfl_clause{q, F, Cunsat); 
F^FUCcnfi; 
if {Ccnfl == 0) retum(F/n/i/i); 
X = Lastiq); 

if {left_hranch{x)) i-etum(BCf); 
else return(Z?f £);} 

Fig. 5. Pseudocode of the cnfl processing procedure 

backtrack{q,F,Xred,D^e1 ,^"9"* ) 
{x — Last{q); 

if ( right _hranch{x)) retum(Bf £); 

q = flip_assignment{q, x); 

X' — find_ajfected_red_vars{Dg^* {Xred),x); 

Xred — Xred 

F — recover _clauses{F^ X' ); 
return(BCP);} 

Fig. 6. Pseudocode of the backtrack procedure 

building F* . The DP-procedure [5| is compositional (clauses 
of Fi and Fj, i ^ j cannot be resolved with each other). 
However, it may generate a huge number of redundant clauses. 
A QEP-solver based on enumeration of satisfying assignments 
is not compositional. (The number of blocking clauses, i.e. 
clauses eliminating satisfying assignments of F, is exponential 
in k). A QEP-solver based on BDDs |3| is compositional but 
only for variable orderings where variables of Fi and Fj, i j 
do not interleave. 

Proposition 10: DDS_impl is compositional regardless of 
how branching variables are chosen. 

The fact that DDS_impl is compositional regardless of 
branching choices is important in practice. Suppose F{X, Y) 
does not have independent subformulas but such subformulas 
appear in branches of the search tree. A BDD-based QEP- 
solver may not be able to handle this case because a BDD 
maintains one global variable order (and different branches 
may require different variable orders). DDS_impl does not 
have such a limitation. It will automatically use its compo- 
sitionality whenever independent subformulas appear. 

VIII. Experimental Results 
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Results for the sum-of-counters experiment 
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20 


80 


* 


0.4 


0.1 


0.5 


0.4 


5 


40 


200 


* 


42 


26 


7 


5 


6 


80 


480 


* 


* 


* 


101 


67 



Instances marked with exceeded the time limit (2 hours). 



In this section, we give results of some experiments 
with an implementation of DDS_impl. The objectives of our 



TABLE II 

Experiments with model checking formulas 



model che- 
king mode 


DP 


EnumSA 


DDS_impl 


solved 

(%) 


time 
(s.) 


solved 
(%) 


time 
(s.) 


solved 
(%) 


time 
(s.) 


forward 


416 (54%) 


664 


425 (56%) 


466 


531 (70%) 


3,143 


backward 


47 (6%) 


13 


97 (12%) 


143 


559 (73%) 


690 



The time limit is 1 min. 



experiments were a) to emphasize the compositionality of 
DDS_impl; b) to compare DDSJmpl with a QEP-solver based 
on enumeration of satisfying assignments. As a such QEP- 
solver we used an implementation of the algorithm recently 
introduced at CAV-11 |2| (courtesy of Andy King). (We 
will refer to this QEP-solver as EnumSA). For the sake of 
completeness we also compared DDSJmpl and EnumSA with 
our implementation of the DP procedure. 

Our current implementation of DDSJmpl is not particularly 
well optimized yet and written just to satisfy the two objectives 
above. For example, to simplify the code, the SAT-solver 
employed to find boundary points does not use fast BCP 
(watched literals). More importantly, the current version of 
DDSJmpl lacks important features that should have a dramatic 
impact on its performance. For example, to simplify memory 
management, DDSJmpl does not currently reuse D-sequents. 
As soon as two D-sequents are resolved (to produce a new 
D-sequent) they are discarded. 

To verify the correctness of results of DDSJmpl we used 
two approaches. If an instance 3X.F{X, Y) was solved by 
EnumSA we simply checked the CNF formulas F*{Y) pro- 
duced by DDSJmpl and EnumSA for equivalence. Otherwise, 
we applied a two-step procedure. First, we checked that every 
clause of F* was implied by F. Second, we did random testing 
to see if F* missed some clauses. Namely, we randomly 
generated assignments y satisfying F* . For every y we 
checked if it could be extended to {x,y) satisfying F. (If no 
such extension exists, then F* is incorrect.) 

In the first experiment (Table U), we considered a circuit 
N of k independent m-bit counters. Each counter had an 
independent input variable. The property we checked (further 
referred to as ^ was Num{Cnti) + . . . + Num{Cntk) < R- 
Here Num{Cnti) is the number specified by the outputs of i- 
th counter and i? is a constant equal to fc* (2™ — 1) + 1. Since, 
the maximum number that appears at the outputs of a counter 
is 2™ — 1, property ^ holds. Since the counters are independent 
of each other, the state space of N is the Cartesian product of 
the k state spaces of individual counters. However, property 
f itself is not compositional (one cannot verify it by solving 
fc-independent subproblems), which makes verification harder. 

The first two columns of Table H] give the value of m and 
k of four circuits N . The third column specifies the number 
of state variables (equal to m * k). In this experiment, we 
applied EnumSA and DDSJmpl to verify property using 
forward model checking. In either case, the QEP-solver was 
used to compute CNF formula RS* {Snext) specifying the 
next set of reachable states. It was obtained from formula 
3Scurr^X.Tr{Scurr, Snext, X) A RSp{Scurr) by quantifier 



elimination. Here Tr is a CNF formula representing the transi- 
tion relation and RSp{Scurr) specifies the set of states reached 
in p iterations. RSp+i [Scurr] was computed as a CNF formula 
equivalent to RSp{Scurr) V RS*{Scurr)- 

We also estimated the complexity of verifying the examples 
of TableUby interpolation [16|. Namely, we used Picosat 913 
and Minisat 2.0 for finding a proof that ^ holds for 2™~^ 
iterations (the diameter of circuits N of Table |T] is 2™, m = 
3, 4, 5, 6). Such a proof is used in the method of 1 16] to extract 
an interpolant. So, in Table H] we give only the time necessary 
to find the first interpolant. 

Table U shows that EnumSA does not scale well (the number 
of blocking clauses one has to generate for the formulas of 
TableUis exponential in the number of counters). Computation 
of interpolants scales much better, but Picosat and Minisat 
failed to compute a proof for the largest example in 2 hours. 

The last two columns of Table U give the performance of 
DDS_impl when branching variables were chosen randomly 
(next to last column) and heuristically (last column). In either 
case, DDS_impl shows good scalability explained by the fact 
that DDS_impl is compositional. Moreover, the fact that the 
choice of branching variables is not particularly important 
means that DDS_impl has a "stronger" compositionality than 
BDD-based QEP-solvers. The latter are compositional only for 
particular variable orderings. 

In second and third experiments (Table HHi we used the 758 
model checking benchmarks of HWMCC 10 competition 1 19 ]. 
In the second experiment, (the first line of Table |ll]l we used 
DP, EnumSA and DDS_impl to compute the set of states 
reachable in the first transition. In this case one needs to 
find CNF formula F*(Y) equivalent to 3X.F{X,Y) where 
F{X, Y) specifies the transition relation and the initial state. 
Then F* {¥) gives the set of states reachable in one transition. 

In the third experiment, (the second line of Table we 
used the same benchmarks to compute the set of bad states 
in backward model checking. In this case, formula F{X, Y) 
specifies the output function and the property (where Y is 
the set of variables describing the current state). If F{X, Y) 
evaluates to 1 for some assignment ix,y) to X U Y, the 
property is broken and the state specified by y is "bad". The 
formula F*{Y) equivalent to 3X.F{X, Y) specifies the set of 
bad states. 

Table shows the number of benchmarks solved by 
each program and the percentage of this number to 758. 
Besides the time taken by each program for the solved 
benchmarks is shown. DDS_impl solved more benchmarks 
than EnumSA and DP in forward model checking and dra- 
matically more benchmarks in the backward model checking. 
DDS_impl needed more time than DP and EnumSA because 
typically the benchmarks solved only by DDS_impl were the 
most time consuming. 

IX. Background 

The notion of boundary points was introduced in lfT3l . 
for pruning the search tree (in the context of SAT-solving). 
The relation between a resolution proof and the process of 



eUmination of boundary points was discussed in lfT4l . lfT2l . 
The previous papers considered only the notion of {z}- 
boundary of formula G{Z) where z is a variable of Z. In 
the present paper, we consider Z'-boundary points where Z' 
is an arbitrary subset of Z. (This extension is not trivial and 
at the same time crucial for the introduction of D-sequents.) 

The idea of a QEP-solver based on enumerating satisfying 
assignments was introduced in fTTl. It has been further devel- 
oped in [15], [JJ, [2\. In ]16] it was shown how one can avoid 
QEP-solving in reachability analysis by building interpolants. 
Although, this direction is very promising, interpolation based 
methods have to overcome the following problem. In the 
current implementations, interpolants are extracted from reso- 
lution proofs. Unfortunately, modem SAT-solvers are still not 
good enough to take into account the high-level structure of 
a formula. (An example of that is given in Section IVIIII ) 
So proofs they find and the interpolants extracted from those 
proofs may have poor quality. 

Note that our notion of redundancy of variables is different 
from observability related notions of redundancy. For instance, 
in contrast to the notion of careset [6\, if a CNF formula 
G{Z) is satisfiable, all the variables of Z are redundant in the 
formula 3Z.G{Z) according to our definition. (G may have 
a lot of boundary points, but none of them is removable. So 
3Z.G{Z) is equivalent to an empty CNF formula. Of course, 
to prove the variables of Z redundant, one has to derive D- 
sequent — > Z.) 

X. Conclusion 

We present a new method for eliminating existential quanti- 
fiers from a Boolean CNF formula 3X.F{X, Y). The essence 
of this method is to add resolvent clauses to F and record 
the decreasing dependency on variables of X by dependency 
sequents (D-sequents). An algorithm based on this method 
(called DDS, Derivation of D-Sequents) terminates when it 
derives the D-sequent saying that the variables of X are 
redundant. Using this termination condition may lead to a 
significant performance improvement in comparison to the 
algorithms based on enumerating satisfying assignments. This 
improvement may be even exponential (e.g. if a CNF formula 
is composed of independent subformulas.) 

Our preliminary experiments with a very simple implemen- 
tation show the promise of DDS. At the same time, DDS needs 
further study. Here are some directions for future research: a) 
decision making heuristics; b) reusing D-sequents; c) efficient 
data structures; d) getting information about the structure of 
the formula (specified as a sequence of D-sequents to derive). 
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Appendix 
Proofs of SectionHiI 

Proposition 1: Point p is a Z'-removable boundary point 
of a CNF formula G{Z) iff no point p* obtained from p by 
changing values of (some) variables of Z' satisfies G. 

Proof: If part. Let us partition G into Gi and G2 where Gi 
is the set of Z'-clauses and G2 is the set of of non-Z'-clauses. 
By definition, p is a ^"-boundary point where Z" C Z'. So 
p satisfies G2. 

Let C be the clause such that 

• Vars{C) =Z\Z', 

• G is falsified by p. 

Clause G is implied by Gi. Indeed, assume the contrary 
i.e. there exists p* for which Gi(p*)=l and G(p*)=0. Note 
that since p* falsifies G, it can be different from p only in 
assignments to Z \ Z'. Then, there is a point p* obtained by 
flipping values of Z' that satisfies Gi. But since p* has the 
same assignments to variables of Z\Z' as p, it satisfies G2 too. 
So p* is obtained by flipping assignments of Z' and satisfies 
G, which contradicts the assumption of the proposition at 
hand. So G is implied by Gi. Since G satisfies the conditions 
of Definition |5l p is a Z'-removable boundary point. 

Only if part. Assume the contrary. That is there is clause G 
satisfying the conditions of Definition |5] and there is a point 
p* obtained from p by flipping values of variables of Z' that 
satisfies G. Then p* also satisfies the set Gi of Z'-clauses of 
G. Since G is implied by Gi, then G is satisfied by p* too. 



Since p and p* have identical assignments to the variables of 
Z\Z', then G is also satisfied by p. However this contradicts 
one of the conditions of Definition |5] assumed to be true. 

Proofs of SectionHTII 

Lemma 1: Let p' be a {z}-boundary point of CNF formula 
G{Z) where z ^ Z. Let p" be obtained from p' by flipping 
the value of z. Then p" either satisfies F or it is also a {z}- 
boundary point. 

Proof: Assume the contrary i.e. p" falsifies a clause G of 
G that does not have a variable of z. (And so p" is neither a 
satisfying assignment nor a {z}-boundary point of G.) Since 
p' is different from p" only in the value of z, it also falsifies 
G. Then p' is not a {z}-boundary point of G. Contradiction. 

Proposition 2: Let G{Z) be a CNF formula and z be a 
monotone variable of F. (That is clauses of G contain the 
literal of z of only one polarity.) Then z is redundant in G. 

Proof: Let us consider the following two cases. 

• G{Z) does not have a {z}-boundary point. Then the 
proposition holds. 

• G{Z) has a {z}-boundary point p' . Note that the clauses 
of G falsified by p' have the same literal l{z) of variable 
z. Let p" be the point obtained from p' by flipping the 
value of z. According to Lemma [T] one needs to consider 
only the following two cases. 

- p" satisfies G. Then p' is not a {z}-removable 
boundary point. This implies that p' is not a remov- 
able boundary point of G either (see Remark [T). So 
the proposition holds. 

- p" falsifies only the clauses of G with literal l{z). 
(Point p" cannot falsify a clause with literal l{z).) 
Then G has literals of z of both polarities and z is 
not a monotone variable. Contradiction. 

Proposition 3: Let F{X, Y) be a CNF formula and X' be 
a subset of X. Then 3X.F{X,Y) = 3{X \ X').Dis{F, X') 
iff the variables of X' are redundant in F. 

Proof: Denote by X" the set X\X' and by F*{X", Y) the 
formula Dis{F,X'). 

If part. Assume the contrary i.e. the variables of X' are 
redundant but 3X.F{X,Y) ^ 3X".F*[X"X). Let y be an 
assignment to Y such that 3X.F{X,y) ^ 3X" .F* {X" ,y). 
One has to consider the following two cases. 

• 3X.F{X,y) = 1, 3X".F*{X",y) = 0. Then there 
exists an assignment x io X such that {x,y) satisfies 
F. Since every clause of F* is in F, formula F* is also 
satisfied by (x",y) where x" consists of the assignments 
of X to variables of X". Contradiction. 

• 3X.F{X,y) = 0, 3X".F*{X",y) = 1. Then there 
exists an assignment x" to variables of X" such that 
(x",y) satisfies F*. Let x be an assignment to X 
obtained from x" by arbitrarily assigning variables of 
X'. Since F{X,y) = 0, point ix,y) falsifies F. Since 
F*(x,y) = 1 and every clause of F that is not F* is an 
X'-clause, {x,y) is an X'*-boundary point of F. Since 



F{X, y) = 0, {x,y) is removable. Hence the variables of 
X' are not redundant in F. Contradiction. 

Only if part. Assume the contrary i.e. 3X.F{X, Y) = 
3X".F*{X", Y) but the variables of X' are not redundant in 
F. Then there is an X'* boundary point p={x,y) of F where 
X'* C X' that is removable in F. Since p is a boundary point, 
F{p) = 0. Since p is removable, 3X.F{X, y) = 0. On the 
other hand, since p falsifies only X'-clauses of F, it satisfies 
F* . Then the point (x",y) obtained from p by dropping the 
assignments to X' satisfies F*. Hence 3X" .F*{X" ,y) = 1 
and so 3X.F{X,y) ^ 3X".F*{X",y). Contradiction. 

Proofs of SectionHvI 

Definition 14: Point p is called a Z'-unremovable bound- 
ary point of G{Z) where Z' C Z if p is a ^''-boundary point 
where Z" C Z' and clause C of Definition |5] does not exist. 
(According to Proposition [T] this means that by flipping values 
of variables of Z' in p one can get a point satisfying G.) 

Definition 15: Let G{Z) be a CNF formula and p be an 
Z'-boundary point of G where Z' C Z. A point p* is called 
a Z" -neighbor of p if 

. Z' C Z" 

• p and p* are different only in (some) variables of Z". In 
other words, p and p* can be obtained from each other 
by flipping (some) variables of Z". 

Proposition 4: Let G{Z) be a CNF formula. Let G have 
no { 2; }-re movable boundary points. Let C be a clause. Then 
the formula GAG does not have a {z}-removable bound- 
ary point if at least one of the following conditions hold: 
a) G is implied by G; b) z ^ Vars{G). 

Proof: Let p be a complete assignment to the variables of G 
(a point) and C be a clause satisfying at least one of the two 
conditions of the proposition. Assume the contrary i.e. that p 
is a {z}-removable boundary point of G A C. 

Let us consider the following four cases. 

1) G(p)=0, G(p)=0. 

• Suppose that p is not a {z}-boundary point of G. 
Then it falsifies a clause G' of G that is not a {z}- 
clause. Then p is not a {z}-boundary point of GAG. 
Contradiction. 

• Suppose that p is a {z}-unremovable boundary 
point of G. (According to the conditions of the 
proposition at hand, G cannot have a {z}-removable 
boundary point.) This means that the point p' that 
is the {z}-neighbor of p satisfies G. 

- Assume that G is not a {z}-clause. Then p is not 
a {z}-boundary point of G A G. Contradiction. 

- Assume that G is implied by G. Then G(p')=l 
and so p' satisfies GAG. Then p is still a {z}- 
unremovable boundary point of GAG. Contra- 
diction. 

2) G(p)=0, G(p)=L 



• Suppose that p is not a {z}-boundary point of G. 
Then it falsifies a clause G' of G that is not a {z}- 
clause. Then p is not a {z}-boundary point of GAG. 
Contradiction. 

• Suppose that p is a {z}-unremovable boundary 
point of G. This means that the point p' that is 
the {z}-neighbor of p satisfies G. 

- Assume that G is not a {z}-clause. Then 
G(p)=G{p') and so G(p')=l- Then p' satisfies 
G AG and so p is a {z}-unremovable boundary 
point of G A G. Contradiction. 

- Assume that G is implied by G and so G(p')=l- 
Hence p' satisfies GAG. Then p is a {z}- 
unremovable boundary point of GAG. Contra- 
diction. 

3) G(p)=l, G(p)=0. 

• If G is implied by G, then we immediately get a 
contradiction. 

• If G is not a {z}-clause, then p falsifies a non-{z}- 
clause of G A G and so p is not a {z}-boundary 
point of G A G. Contradiction. 

4) G(p)=l, G(p)=L Point p satisfies GAG and so cannot 
be a {z}-boundary point of G A G. Contradiction. 

Proposition 5: Let G{Z) be a CNF formula. Let G have 
no {z}-removable boundary points. Let G be a {z}-clause of 
G. Then the formula G' — G \ {G} does not have a {z}- 
removable boundary point. 

Proof: Let p be a complete assignment to the variables of 
G (a point). Assume the contrary i.e. that z G Vars{G) and 
p is a {z}-removable boundary point of G'. Let us consider 
the following three cases. 

1) G(p)=0, G(p)=0. 

• Suppose that p is not a {z}-boundary point of G. 
Then there is clause G' of G that is not a {z}- 
clause and that is falsified by p. Since G' is different 
from G (because the former is not a {z}-clause) it 
remains in G'. Hence p is not a {z}-boundary point 
of G'. Contradiction. 

• Suppose that p is a {z}-unremovable boundary 
point of G. Then its {z}-neighbor p' satisfies G 
and hence G'. Then p either satisfies G' (if G is 
the only {z}-clause of G falsified by p) or p is a 
{z}-unremovable boundary point of G'. In either 
case, we have a contradiction. 

2) G(p)=0, G(p)=L 

• Suppose that p is not a {z}-boundary point of 
G. Using the same reasoning as above we get a 
contradiction. 

• Suppose that p is a {z}-unremovable boundary 
point of G. Then its {z}-neighbor p' satisfies G 
and hence G'. Let G' be a {z}-clause of G falsified 
by p. Since G' is different from G (the latter being 
satisfied by p), it is present in G'. Hence p falsifies 
G'. Then p is a {z}-unremovable boundary point 
of G'. We have a contradiction. 



3) G(p)=l. Then G'(p)=l too and so p cannot be a 
boundary point of G'. Contradiction. 

Proofs of Section[V] 
SUBSECTION: Formula Replacement in a D-sequent 

Proposition 6: Let (X, Y) be a CNF formula obtained 
from F{X, Y) by adding some resolvents of clauses of F. 
Let g be a partial assignment to variables of X and X' Q X. 
Then the fact that D-sequent {F,X',q) ^ X" holds implies 
that X', q) X" holds too. The opposite is not true. 

Proof: First, let us prove that if {F,X',q) X" holds, 
X" holds too. Let us assume the contrary, 
i.e. {F,X',q) X" holds but {F+,X',q) ^ X" does not. 
According to Definition [Tol this means that either 

A) variables of X' are not redundant in F^ or 

B) variables of X" are not redundant in Dis{F^ , X'). 
CASE A: The fact that the variables of X' are not redundant 
in F+ means that there is a removable X'* -boundary point 
p of F+ where X'* C X'. The fact that the variables of X' 
are redundant in Fq means that p is not a removable X'*- 
boundary point of Fq. Let us consider the three reasons for 
that. 

• p satisfies Fq. Then it also satisfies F^ and hence cannot 
be a boundary point of F+. Contradiction. 

• p is not an X'* -boundary point of Fq. That is p falsifies 
a non-X'-clause C of Fq. Since F^ also contains C, 
point p cannot be an X'* -boundary point of F+ either 
Contradiction. 

• p is an X'* -boundary point of Fq but it is not removable. 
This means that one can obtain a point p* satisfying Fq 
by flipping the values of variables of X \ Vars{q) in p. 
Since p* also satisfies F^, one has to conclude that p 
is not a removable point of F+. Contradiction. 

CASE B: The fact that the variables of X" are not redundant in 
Dis{F^ , X') means that there is a removable X"* -boundary 
point p of Dis{F+,X') where X"* C X" . The fact that the 
variables of X" are redundant in Dis{Fq, X') means that p 
is not a removable X"*-boundary point of Dis{Fq, X'). 

Here one can reproduce the reasoning of case A). That is 
one can consider the three cases above describing why p is not 
an removable X"* -boundary point of Dis{Fq, X') and show 
that each case leads to a contradiction for the same reason as 
above. 

Now we show that if {F+,X',q) X" holds this does 
not mean that {F,X',q) X" holds too. Let F{X,Y) be 
a CNF formula where X = {x},Y = {y}. Let F consist 
of clauses Ci,C2 where Ci — x \/ y and C2 — x \/ y. 
Let F~^ be obtained from F by adding the unit clause y 
(that is the resolvent of Ci and C2). It is not hard to see 
that the D-sequent (F+,0,0) {x} holds. (The latter does 
not have any {a;}-boundary points. Hence it cannot have a 
removable {x}-boundary point.) At the same time, F has 
a removable {x}-boundary point p=(x=Q,y=Q). So the D- 
sequent {F, 0, 0) —> {x} does not hold. 



SUBSECTION: Resolution of D-sequents 

Definition 16: Let F{X,Y) be a CNF formula and 
X' C X. We will say that the variables of X' are locally 
redundant in F if every X" -boundary point p of F where 
X" C X' is X'-removable. 

Remark 5: We will call the variables of a set X' globally 
redundant in F{X, Y) if they are redundant in the sense of 
Definition I2I The difference between locally and globally re- 
dundant variables is as follows. When testing if variables of X' 
are redundant, in either case one checks if every ^''-boundary 
point p of F where X" C X' is removable. The difference 
is in the set variables one is allowed to change. In the case 
of locally redundant variables (respectively globally redundant 
variables) one checks if p is X'-removable (respectively X- 
removable). In other words, in the case of globally variables 
one is allowed to change variables that are not in X'. 

Lemma 2: If variables of X' are locally redundant in a CNF 
formula F{X, Y) they are also globally redundant there. The 
opposite is not true. 

Proof: See Remark |5] 

Lemma 3: Let z be a monotone variable of G{Z). Then 
variable z is locally redundant. 

Proof: Let us assume for the sake of clarity that only 
positive literals of z occur in clauses of G. Let us consider 
the following two cases: 

• Let G have no any {zj-boundary points. Then the 
proposition is vacuously true. 

• Let p be a {z}-boundary point. By flipping the value of z 
from to 1, we obtain an assignment satisfying G. So p 
is not a removable {z}-boundary point and to prove that 
it is sufficient to flip the value of z. Hence z is locally 
redundant in G. 

Lemma 4: Let F{X, Y) be a CNF formula and X' be a 
subset of variables of X that are globally redundant in F. Let 
X" be a non-empty subset of X'. Then the variables of X" 
are also globally redundant in F. 

Proof: Assume the contrary, i.e. the variables of X" are not 
globally redundant in F. Then there is an X"*-boundary point 
p where X"* C X" that is X-removable. Since X"* is also a 
subset of X', the existence of point p means that the variables 
of X' are not globally redundant in F. Contradiction. 

Remark 6: Note that Lemma |4] is not true for locally 
redundant variables. Let F{X, Y) be a CNF formula and X' 
be a subset of variables of X that are locally redundant in F. 
Let X" be a non-empty subset of X'. Then one cannot claim 
that the variables of X" are locally redundant in F. (However 
it is true that they are globally redundant in F.) 

For the rest of the Appendix we will use only the notion of 
globally redundant variables (introduced by Definition |7). 

Definition 17: Let X be a set of Boolean variables. Let G 
be a clause where Vars{G) C X. Let Vars{q) be a partial 
assignment to variables of X. Denote by Cq the clause that is 

• equal to 1 (a tautologous clause) if G is satisfied by q; 



• obtained from C by removing the literals falsified by q, 
if C is not satisfied by q. 

Definition 18: Let F{X, Y) be a CNF formula and q be 
a partial assignment to variables of X. Let X' and X" be 
subsets of X. We will say that the variables of X" are locally 
irredundant in Dis{Fq,X') if every X"* -boundary point 
of Dis{Fq,X') where X"* C X" that is (X \ Vars{q))- 
removable in Dis{Fq, X') is X-unremovable in F. We will 
say that the variables of X" are redundant in Dis{Fq, X') 
modulo local irredundancy. 

Remark 7: The fact that variables of X" are locally irre- 
dundant in Dis{Fq, X') means that the latter has an X"*- 
boundary point p where X"* C X" that cannot be turned 
into a satisfying assignment in the subspace specified by 
q (because the values of variables of Vars{q) cannot be 
changed). However, p can be transformed into a satisfying 
assignment if variables of Vars (q) are allowed to be changed. 
This means that p can be eliminated only by an X-clause 
(implied by F) but cannot be eliminated by a clause depending 
only on variables of Y. Points like p can be ignored. 

Lemma 5: Let F{X, Y) be a CNF formula. Let qi and q-2 
be partial assignments to variables of X that are resolvable on 
variable x. Denote by q the partial assignment Res(qi,q2,x) 
(see Definition [TTTl. Let Xi (respectively X2) be the subsets of 
variables of X already proved redundant in Fq^ (respectively 
Fq^). Let the set of variables X* where X* = XinX2 be non- 
empty. Then the variables of X* are redundant in Fq modulo 
local irredundancy. 

Proof: Assume that the variables of X* are not redundant in 
Fq and then show that this irredundancy is local. According 
to Definition |7] irredundancy of X* means that there is an 
X'* -boundary point p where X'* C X* that is (X \ Vars{q))- 
removable in Fq. Since p is an extension of q, it is also an 
extension of qi or q2- Assume for the sake of clarity that p 
is an extension of q^. 

The set of clauses falsified by p in Fq and Fq^ is specified 
by the set of clauses of F falsified by p. If a clause C of F 
is satisfied by p, then clause Cq (see Definition [TTb is either 

• not in Fq (because is C satisfied by q) or 

• in Fq and is satisfied by p. 

The same applies to the relation between clause Cg^ and CNF 
formula Fq^ . Let C be a clause falsified by p. Then C cannot 
be satisfied by q and so the clause Cq is in Fq The same 
applies to Cq^ and Fq^. 

Since p falsifies the same clauses of F in Fg^ and Fq, 
it is an Jf'* -boundary point of Fq^. Let P be the set of 
2\x\Vars{qi)\ points obtained fromp by changing assignments 
to variables of X \ Vars{qi). Since the variables of X* are 
redundant in Fq^ , then P has to contain a point satisfying Fq^ . 
This means that point p of Fq can be turned into an assignment 
satisfying F if the variables that are in Vars{q) \ Vars{qi) 
are allowed to change their values. So the irredundancy of X* 
in Fq can be only local. 

Remark 8: In Definition \W\ of D-sequent 
{F,X',q) X", we did not mention local irredundancy. 



However, in the rest of the Appendix we assume that the 
variables of X' in Fq and those of X" in Dis{Fq, X') may 
have local irredundancy. For the sake of simplicity, we do 
not mention this fact with the exception of Lemmas |7] and [8] 
In particular, in Lemma |8] we show that D-sequents derived 
by DDS_impl can only have local irredundancy and so the 
latter can be safely ignored. 

Remark 9: Checking if a set of variables X' , where X' C 
{X \ Vars{q)) is uredundant in Fq only locally is hard. 
For that reason DDS_impl does not perform such a check. 
However, one has to introduce the notion of local irredundancy 
because the latter may appear when resolving D-sequents (see 
Lemma|5]l. Fortunately, given a D-sequent [F, X' , q) X" , 
one does not need to check if irredundancy of variables X' 
in Fq or X" in Dis{Fq, X') (if any) is local. According to 
Lemma [8] this irredundancy is always local. Eventually a D- 
sequent {F, 0,0) — > X is derived that does not have any 
local irredundancy (because the partial assignment q of this 
D-sequent is empty). 

Lemma 6: Let F{X,Y) be a CNF formula and q be a 
partial assignment to variables of X. Let X* where X* C X 
be a set of variables redundant in Fq. Let sets X' and X" 
form a partition of X* i.e. X* ^ X' U X" and X' n X" = 0. 
Then D-sequent (F, X',q) X" holds. 

Proof: Assume the contrary i.e. that the D-sequent 
(F, X', q) X" does not hold. According to Definition [TOl 
this means that either 

A) variables of X' are not redundant in Fq or 

B) variables of X" are not redundant in Dis{Fq, X'). 
CASE A: This means that there exists an X'+-boundary point 
p (where X'~^ C X' and q < p) that is removable in 
Fq. This implies that the variables of X'^ are not a set of 
redundant variables. On the other hand, since C X' and 
the variables of X' are redundant, the variables of X'^ are 
redundant too. Contradiction. 

CASE B: This means that there exists an X"+-boundary point 
p (where X"+ C X" and q < p) that is removable in 
Dis{Fq, X'). Note that point p is an X*+-boundary point 
of Fq where X*^ C X* (because Fq consists of the clauses 
of Dis{Fq, X') plus some X'-clauses). Since the variables of 
X* are redundant in Fq the point p cannot be removable. 
Then there is a point p* obtained by flipping the variables 
of X \ Vars{q) that satisfies Fq. Point p* also satisfies 
Dis{Fq, X'). Hence, the point p cannot be removable in 
Dis{Fq, X'). Contradiction. 

Lemma 7: Let F{X,Y) be a CNF formula and q be 
a partial assignment to variables of X. Let D-sequent 
{F, X',q) — > X" hold modulo local irredundancy. That is the 
variables of X' and X" are redundant in Fq and Dis{Fq, X') 
respectively modulo local irredundnacy. Then the variables of 
X' U X" are redundant in Fq modulo local iredundancy. 

Proof: Denote by X* the set X'UX". Let p be a removable 
X+ -boundary point of Fq where X^ C X*. Let us consider 
the two possible cases: 



• X+ <Z X' (and so X+ n X" = 0). Since p is 
removable, the variables of X' are irredundant in Fq. 
Since this irredundancy can only be local one can turn 
p into an assignment satisfying F. This means that the 
irredundancy of variables X* in F due to point p is local. 

• X+ % X' (and so X+ n X" 7^ 0). Then p is an 
X"+ -boundary point of Dis{Fq,X') where X"+ = 
X+ n X". Indeed, for every variable x of X+ there 
has to be a clause C of i^g falsified by p such that 

Vars{C) n X+ = {x}. Otherwise, x can be removed 
from X+, which contradicts the assumption that p is an 
X+ -boundary point. This means that for every variable 
X of X"+ there is a clause C falsified by p such that 

Vars{C) r\X"+ = {x}. 

Let P denote the set of all 2l^\(^°"('?)u^')l points 
obtained from p by flipping values of variables of 
X \ {Vars{q) U X'). Let us consider the following two 
possibilities. 

- Every point of P falsifies Dis{Fq, X'). This means 
that the point p is a removable X"^- boundary 
point of Dis{Fq, X'). Hence the variables of X" are 
irredundant in Dis{Fq, X'). Since this irredundancy 
is local, point p can be turned into an assignment 
satisfying F by changing values of variables of X. 
Hence the irredundancy of X* in F due to point p 
is local. 

- A point d of P satisfies Dis{Fq, X'). Let us consider 
the following two cases. 

• d satisfies Fq. This contradicts the fact that p is a 
removable X^-boundary point of Fq. (By flipping 
variables of X \ Vars{q) one can obtain a point 
satisfying Fq.) 

• d falsifies some clauses of Fq. Since Fq and 
Dis{Fq, X') are different only in X'-clauses, d is 
an X'* -boundary point of Fq where X'* C X'. 
Since p is a removable X"*" -boundary point of 
Fq, d is a removable X'* -boundary point of Fq. 
So the variables of X' are irredundant in Fq. 
Since this irredundancy is local, the point d can 
be turned into an assignment satisfying F by 
changing the values of X. Then, the same is true 
for point p. So the irredundancy of X* in F due 
to point p is local. 

Proposition 7: Let F{X, Y) be a CNF formula. Let D- 
sequents 5*1 and S2 be equal to {F,Xi,qx) X' and 
(F, X2,q2) X' respectively. Let qi and be resolv- 
able on variable x. Denote by q the partial assignment 
Res(qi,q2,x) and by X* the set Xi ("1X2. Then, if Si and S2 
hold, the D-sequent S equal to (F, X*,q) —5- X' holds too. 

Proof: Lemma |7] implies that the variables of Xi U X' and 
X2 U X' are redundant in Fq^ and Fq^ respectively. From 
Lemma 121 one concludes that the variables of the set X" = 
{X-iUX')n{X2UX') are redundant in Fq. From Definition [TOl 
it follows fliat XiHX' = X2nX' ^ 0. So X" ^ X* U X' 



where X* nX' = 0. Then, from Lemma |6] it follows that the 
D-sequent {F,X*,q) X' holds. 

SUBSECTION: Derivation of a D-sequent 

Proposition 8: Let F{X, Y) be a CNF formula and q be a 
partial assignment to variables of X. Let Xred be the variables 
proved redundant in Fq. Let x be the only variable of X that 
is not in Vars{q) U Xred- Let D-sequent {F, Xred,q) {x} 
hold. Then D-sequent {F, Xl,^^,g) {x} holds where g and 
X'^^^ are defined as follows. Partial assignment g to variables 
of X satisfies the two conditions below (implying that g < q): 

1) Let C be a {xj-clause of F that is not in Dis{Fq, Xred)- 
Then either 

• g contains an assignment satisfying C or 

• D-sequent [F,X*^^,g*) {x*} holds where 

g* < g, Ked C ^red, X* G {Xred H Vars(C)). 

2) Let pi be a point such that q < p\. Let pi falsify a 
clause of F with literal x. Let p2 be obtained from pi 
by flipping the value of x and falsify a clause of F with 
literal T,. Then there is a non-{x}-clause C of F falsified 
by pi and p2 such that (Vars(C) flX) C Yars{g). 

The set X'^^^ consists of all the variables already proved 
redundant in Fg. That is every redundant variable x* of Xred 
with D-sequent {F,X*^^,g*) — s> {a:*} such that g* < g, 
X*r,a C Xred is in X'^^^. 

Proof Assume the contrary i.e. D-sequent 
{F, X'^^^,g) — J> {x} does not hold, and so variable x 
is not redundant in Dis{Fg, X'^^^). Hence there is a point 
P7 g ^ P that is a removable {a;} -boundary point of 

Let C be an {xj-clause of F. Note that Dis{Fg, X'^^^) 
cannot contain the clause Cg if the clause Cq is not in 
Dis {Fq , X red) - If Cq is not in Dis{Fq, Xred), then g either 
satisfies C or C contains a variable of Xred that is also in 
X'^^i^ (and hence Cg contains a redundant variable and so is 
not in Pzs(Fg,X;^,)). 

So, for p to be an {a;}-boundary point of Fg, there has to 
be {a;} -clauses A and B of F such that 

• they are not satisfied by g and do not contain variables of 
X'red the clauses Ag and Bg are in Dis{Fg,X'^^j)) 

• A is falsified by p and S is falsified by the point obtained 
from p by flipping the value of x. 

Let point pi be obtained from p by flipping assignments to 
the variables of Vars{q) \ Vars{g) that disagree with q. By 
construction g < pi and q < p\. Let p2 be the point obtained 
from pi by flipping the value of x. Since x is not assigned in 
q (and hence is not assigned in g), g < P2 and q < P2- Then 
Aq and are also in Fq. As we mentioned above A and B 
cannot contain variables of Xred (otherwise they could not be 
in Fg). So A and B are also in Dis{Fq, Xred)- 

Note that clause A is falsified by pi. Assume the contrary, 
i.e. that A is satisfied by pi. Then the fact that p and pi 
are different only in assignments to q and that p falsifies 
implies that q satisfies A. But then by construction, g has to 



satisfy A and we have contradiction. Since B is also an {x}- 
clause as A, one can use the same reasoning to show that p2 
falsifies B. 

Since pi and p2 falsify {xj-clauses A and B and pi,p2 < 
q one can apply Condition 2 of the proposition at hand. That 
is there must be a clause C falsified by pi and p2 such that 
g contains aU the assignments of q that falsify literals of C. 
This means that C is not satisfied by g. Besides, since due 
to Condition 2 every variable of Vars{C) nX is in Vars{g), 
every variable of Cg is in Y. Hence a variable of Cg cannot be 
redundant. This means that Cg is in Dis{Fg, X'^^^). Since p 
and pi have identical assignments to the variables of Y, then 
p falsifies Cg too. So p cannot be an {a;}-boundary point of 
Dis{Fg, X'^^^). Contradiction. 

Proofs of SectionIvI] 

Lemma 8: Let {F,X',g) X" be a D-sequent derived 
by DDS_impl and q be the partial assignment when this D- 
sequent is derived. Let variables of X' be irredundant in Fg 
or variables of X" be irredundant in Dis{Fg, X'). Then this 
irredundancy is only local. (See Definition [18] and Remarks |8] 
and HI) 

Proof: We carry out the proof by induction in the number 
of D-sequents. The base step is that the statement holds for 
an empty set of D-sequents, which is vacuously true. The 
inductive step is to show that the fact that the statement holds 
for D-sequents Si, . . . , Sn implies that it is true for Sn+i- Let 
us consider all possible cases. 

• Sn+i is a D-sequent {F,X',g) {x} for a monotone 
variable x of Dis{Fg, X') where x G {X \ {Vars{q) U 
X'). Since formula Dis{Fg, X') cannot have removable 
{a;} -boundary points (see Proposition |2), variable x can- 
not be irredundant in Dis{Fg,X'). The variables of X' 
may be irredundant in Fg. However, this irredundancy 
can be only local. Indeed, using Lemma [T] and the 
induction hypothesis one can show that variables proved 
redundant for Fg according to the relevant D-sequents of 
the set {S*!, . . . , are indeed redundant in Fg modulo 
local irredundancy. 

• Sn+i is a D-sequent (F, 0,g) — >■ X' derived due to 
appearance of an empty clause C in Fg. Here g is the 
minimum subset of assignments of q falsifying C. In this 
case, Fg has no boundary points and hence the set X' of 
unassigned variables of Fg cannot be irredundant. 

• Sn+i is a D-sequent {F,X',g) {x} derived after 
making the only unassigned variable x of Dis{Fq, Xred) 
redundant by adding resolvents on variable x. (As usual, 
Xred denotes the set of redundant variables already 
proved redundant in Fg.) In this case, every removable 
{x}-boundary point of Dis{Fq, Xred) is eliminated and 
so the latter cannot be irredundant in x. Due to Propo- 
sition [8j the same applies to Dis{Fg, X'). To show that 
irredundancy of variables of X' in Fg can be only local 
one can use the same reasoning as in the case when x is 
a monotone variable. 



• Sn+i is obtained by resolving D-sequents Si and Sj 
where I < i,j < n and i ^ j. Let Si,Sj and Sn+i 
be equal to {F,Xi,qi) X" , {F,Xj,qj) X" and 
(F, X',g) X" respectively where X' = Xir\Xj and 
g is obtained by resolving qi and qj (see Definition fTTI). 

Let us first show that irredundancy of X" in Dis{Fg, X') 
can only be local. Let p be a removable X"* -boundary 
point of DisiFg,X') where X"* C X". 
Then either qi < p or qj < p. Assume for the sake of 
clarity that qi < p. Consider the following two cases. 

- p is not removable in Dis{Fq^, Xi). Then the ir- 
redundancy of X" in Dis{Fg,X') due to point 
p is local. (A point satisfying Dis{Fq^,Xi) can 
be obtained from p by changing values of some 
variables from X \ {Xi U Vars{qi)). The same point 
satisfies Dis{Fg, X') because g < qi and X' C X^.) 

- p is also removable in Dis{Fq^ :Xi). This means that 
the variables of X' are irredundant in Dis{Fq^, Xi). 
By the induction hypothesis, this irredundancy is lo- 
cal. Then one can turn p into a satisfying assignment 
of F by changing assignments to variables of X. 
Hence the irredundancy of X" in Dis{Fg, X') due 
to point p is also local. 

Now, let us show that irredundancy of X' in Fg can only 
be local. Let p be a removable X'* -boundary point of Fg 
where X'* C X'. Again, assume for the sake of clarity 
that qi < p. Consider the following two cases. 

-pis not removable in Fq^ . Then the irredundancy of 
X' in Fq due to point p is local. (A point satisfying 
Fq^ can be obtained by from p by changing values of 
some variables from X \ Vars{qi). The same point 
satisfies Fg because g < qi.) 

- p is also removable in Fq^. This means that the 
variables of X' (and hence the variables of Xi) are 
irredundant in Fq^ . By the induction hypothesis, this 
irredundancy is local. Then one can turn p into a 
satisfying assignment of F by changing assignments 
to variables of X. Hence the irredundancy of X' in 
Fq due to point p is also local. 

Remark 10: Note that correctness of the final D-sequent 
{F, 0, 0) — > X modulo local irredundancy implies that the 
variables of X are redundant in F. In this case, there is no 
difference between just redundancy and redundancy modulo 
local irredundancy because q is empty. (So the value of any 
variable of X can be changed when checking if a boundary 
point is removable.) 

Lemma 9: Let F(X, Y) be a CNF formula and X 
{xi, . . . , Xk}. Let Si, . . . ,Sk be D-sequents where Si is the 
D-sequent {xi}. Assume that Si holds for the formula 
F, 5*2 holds for the formula Dis{F,{xi}), . . .,Sk holds for 
the formula Dis{F, {xi, . . . , Xk-i})- (To simplify the notation 
we assume that D-sequents Si have been derived in the order 
they are numbered). Then the variables of X are redundant in 
F{X, Y). 



Proof: Since 5*1 holds, due to Proposition [3] the formula 
3X.F is equivalent to 3{X \ {xi}).Dis{F,{xi}). Since ^2 
holds for Dis{F, {xi}) one can apply Proposition |3] again to 
show that 3{X \ {xi}).Dis{F, {xi}) is equivalent to B{X \ 
{xi,X2})-Dis{F,{xi,X2}) and hence the latter is equivalent 
to 3X.F. By applying Proposition[3] fc— 2 more times one 
shows that 3X.F is equivalent to Dis{F,X). According to 
Corollary [T] this means that the variables of X are redundant 
in F{X,Y). 

Proposition 9: DDS_impl is sound and complete. 

Proof: First, we show that DDS_impl is complete. 
DDS_impl builds a binary search tree and visits every node 
of this tree at most three times (when starting the left branch, 
when backtracking to start the right branch, when backtracking 
from the right branch). So DDSJmpl is complete. 

Now we prove that DDS_impl is sound. The idea of the 
proof is to show that all D-sequents derived by DDS_impl are 
correct. By definition, DDS_impl eventually derives correct D- 
sequents — > {x} for every variable of X. From Lemma |9] 
it follows that this is equivalent to derivation of the correct 
D-sequent 9 ^ X. 

We prove the correctness of D-sequents derived by 
DDS_impl by induction. The base statement is that the D- 
sequents of an empty set are correct (which is vacuously true). 
The induction step is that to show that if first n D-sequents are 
correct, then next D-sequent S is correct too. Let us consider 
the following alternatives. 

• 5 is a D-sequent built for a monotone variable of 
Dis{Fq, Xred) ■ The correctness of 5* follows from Propo- 
sition [8] and the induction hypothesis (that the D-sequents 
derived before are correct). 

• S is the D-sequent specified by a locally empty clause. 
In this case, S is trivially true. 

• 5 is a D-sequent derived by DDS_impl in the BPE 
state for variable x after eliminating {a;}-removable {a;}- 
boundary points of Dis{Fq, Xred)- The correctness of S 
follows form Proposition |8] and the induction hypothesis. 

• 5 is obtained by resolving two existing D-sequents. The 
correctness of S follows from Proposition Q and the 
induction hypothesis. 

Proofs of Section [VTT] 

Definition 19: Let Proof be a resolution proof that a CNF 
formula H is unsatisfiable. Let Gproof be the resolution graph 
specified by Proof. (The sources of Gproof correspond to 
clauses of H. Every non-source node of Gproof corresponds to 
a resolvent of Proof The sink of Gproof is an empty clause. 
Every non-source node of Gproof has two incoming edges 
connecting this note to the nodes corresponding to the parent 
clauses.) We will call Proof irredundant, if for every node 
of Gproof there is a path leading from this node to the sink. 

Lemma 10: Let F{X,Y) be equal to Yi) A . . . A 

Fk{Xk,Yk) where (X., U K,) n {Xj u F,) = 0, i ^ j. Let 
F be satisfiable. Let F have no {a;} -removable {xj-boundary 
points where x ^ Xi and Proof be a resolution proof of that 



fact built by DDS_impl. Then Proof does not contain clauses 
of FjJ ^ i (that is no clause of Fj is used as a parent clause 
in a resolution of Proof). 

Proof: DDS_impl concludes that all {x}-removable {a;}- 
boundary points have been eliminated if the CNF formula H 
described in Subsection IVI-CI is unsatisfiable. H consists of 
clauses of the current formula Dis{Fq,Xred) and the clauses 
of CNF formula Hdir. DDS_impl builds an irredundant resolu- 
tion proof that H is unsatisfiable. (Making Proof irredundant 
is performed by function optimize of Figure |4]) 

Since formula F is the conjunction of independent subfor- 
mulas, clauses of Fi and Fj, j i cannot be resolved with 
each other The same applies to resolvents of clauses of Fi 
and Fj and to resolvents of clauses of Fi A Rdir and Fj. 
(By construction |12|, Rdir may have only variables of {x}- 
clauses of F and some new variables i.e. ones that are not 
present in F . Since x G Xi, this means that the variables of 
Hdir can only overlap with those of Fi?j Therefore, an irredun- 
dant proof of unsatisfiability of iJ has to contain only clauses 
of either formula Fj, j i or formula Fi A Hdir. Formula 
F is satisfiable, hence every subformula Fj, j ~ 1, . . . ,k is 
satisfiable too. So, a proof cannot consists solely of clauses 
of Fj,j ^ i. This means that Proof employs only clauses of 
Fi A Hdir (and their resolvents). 

Proposition 10: DDS_impl is compositional regardless of 
how branching variables are chosen. 

Proof: The main idea of the proof is to show that every D- 
sequent generated by DDS_impl has the form g X' where 
Vars{g) C Xi and X' C X. We will call such a D-sequent 
limited to Fi. Let us carry on the proof by induction. Assume 
that the D-sequents generated so far are limited to Fi and show 
that this holds for the next D-sequent S. Since one cannot 
resolve clauses of Fi and Fj, i ^ j, if S is specified by a 
clause that is locally empty, S is limited to Fi. 

Let S" be a D-sequent generated for a monotone variable 
X £ Xi. According to Remark |4] only Condition [T] contributes 
to forming g. In this case, Vars{g) consists of 

1) variables of {xj-clauses of F and 

2) variables of Vars{g*) of D-sequents g* —5- {x*} show- 
ing redundancy of variables x* of {xj-clauses of F. 

Every {x}-clause of F is either a clause of the original formula 
Fi or its resolvent. So the variables that are in g due to the 
first condition above are in Xi. By the induction hypothesis, 
the variables of Vars{g*) are also in Xi. 

Let S be obtained after eliminating {ccj-removable {x}- 
boundary points where x € Xi (see Subsection I VI-Cl l. Denote 
by gi and g2 the two parts of g specified by Condition [T] and |2] 
of Proposition [8] (Assignment g is the union of assignments 
gi and 92-) The variables of Vars{gi) are in Xi for the same 
reasons as in the case of monotone variables. 

To generate g2, DDS_impl uses proof Proof that formula 
H built from clauses of F and Hdir (see Subsection IVI-CI ) 
is unsatisfiable. As we showed in Lemma [Tol Proof employs 
only clauses of Fi A Hdir and their resolvents. Only clauses 
of formula F are taken into account when forming g2 in 



Proposition |8] (i.e. clauses of Hdir do not affect 92)- Since 
the only clauses of F used in Proof are those of Fi, then 
Vars{g2) C X,. 

Finally, if S is obtained by resolving two D-sequents limited 
to Fi, it is also limited to Fi (see Definition fT2ll. 



